Change History (18)

Using about:buildconfig, the browser reports compiler flags and configure arguments for our tor-browser.git builds. Are these a complete list of the compiler flags actually used? I don't know. In any case, here are the current reports:

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in ​https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in ​https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in ​https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)

Indeed this covers most of the flags I mentioned. I'm not sure about -Wl,-z,relro,-z,now. gk, do you know how these are covered? boklm pointed me to ​a part of the Tor Browser test suite that seems to indicate that full relro is applied. Is that correct?

I think it would be useful also to somehow confirm that we are now using -fstack-protector-strong and not -fstack-protector; I will try to investigate that.

I'm not familiar with Windows/mingw build flags, but it looks like we could possibly switch to -fstack-protector-strong. Also I wonder if -D_FORTIFY_SOURCE=2 and the relro flags make sense.

On Mac, we are adding -fPIE to the clang flags in ​gitian/descriptors/mac/gitian-firefox.yml. clang largely supports gcc's build flags so I think we could probably add most or all of the flags from comment:6 to the build. (I tried all of those flags with clang++ while building a "hello world" c++ program and confirmed that clang++ at least did not complain that any of the flags were unknown.)

I read in ​Tice et al 2014 that there is a mechanism in the VTV code to "whitelist" some parts of the code that would otherwise fail verification. I wonder if that feature is deployed in the gcc VTV implementation and could be used to get around the problematic vtable hacking Nathan Froyd ​mentions in the Mozilla bug. Similarly, clang's -fsanitize has an option to​blacklist certain functions so that they also don't fail verification.

Something else that occurs to me is it would be nice to document our hardening flags for each build (hardened, alpha, release) in the Tor Browser design document.

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in ​https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)

Indeed this covers most of the flags I mentioned. I'm not sure about -Wl,-z,relro,-z,now. gk, do you know how these are covered? boklm pointed me to ​a part of the Tor Browser test suite that seems to indicate that full relro is applied. Is that correct?

Yes, full relro is applied. I think we get the flags you mentioned by export DEB_BUILD_HARDENING=1. The other *HARDENING flags should not be needed. I opened #21565 for the clean-up.

hardening-check can only check the resulting binaries and thus might not catch missing hardening flags if they are only missing in a few places. blhc is a small parser written in Perl which checks the build logs for missing hardening flags. It can be used on build logs created by dpkg-buildpackage or buildd.

After a lot of experimentation, I opened #23024 and #23025 to add some extra hardening flags for Windows and Mac respectively. In the meantime I also found several promising flags didn't work after all:

Windows (mingw cross-compile):

-z,relro,-z,now fails (is there an equivalent flag for Windows binaries?)

Replying to arthuredelstein:
During your investigations Mozilla suddenly started to harden Firefox :0. So this looks like the third part of Tor Patch Uplifting project (next to FPI and fingerprinting). (Mark their tickets accordingly ;)

-z,relro,-z,now fails (is there an equivalent flag for Windows binaries?)